Open source Android forensics: An HTCIA student charter project

March 8, 2012

We always like to hear about the cool new projects our students are engaging in, so we were excited to see University of Cincinnati student charter president Shadi Dibbini post on our Facebook page:

When we saw the site, we definitely wanted to talk more with Shadi about his team’s project!

HTCIA: How did you get the idea for Open Source Android Forensics? How long have you been working on it thus far?

SD: My team started working on this project at the beginning of the school year, late September, and it has to be completed by the beginning of May. In May, we will be presenting at the University of Cincinnati’s Tech Expo event. The Tech Expo is a showcase of senior design projects from IT students, and students from other programs. The event is entirely open to the public, so feel free to come down and check out all the cool projects.

I came up with the idea of Open Source Android Forensics (OSAF) because I really enjoy forensics, and I have been a smartphone enthusiast for the past 8 years. A little off topic here, but believe it or not, I used to buy a new smartphone every three months so that I can have the best device that’s currently out on the market… I learned pretty fast that I was wasting my money, so I quit buying that many phones.

Besides the fact I enjoy forensics and smartphones, what caught my eye a few years ago, during the rise and popularity of Android, was the fact that Google does not have a vetting procedure for the applications that are published on the market. Google is smart by allowing any publisher to rapidly release applications without having to wait or gain approval (cough..cough..Apple)… however, Apple is smart by vetting applications to protect their users.

In recent news though, Google did come up with a new application security scanner called “Bouncer” after realizing that they did have a huge issue with Android malware. Back in Q3 2011, there was a report that had stated that malicious Android apps have risen 473% in about a year or so… that is a lot of malware.

This report pretty much sparked my ingenuity for coming up with the OSAF project. The OSAF project was initially going to be just the OSAF-Toolkit, a Linux OS that has been injected with all the latest Android application analysis software, but I wanted more than that. I wanted to not only create a application ripping toolkit, I wanted to create a community where anyone interested in Android malware analysis can have a one stop shop for any information they need.

I want people to stop at our site before any other site, and  I want people to collaborate with each other, share new techniques and methodologies, and share their findings after they have ripped apart an application (hence the threat index).

Another honorable mention is that my team is currently working on documentation on how to perform analysis against any application. This is an A-Z guide of what tools to use, how to use them, what to look for during static/dynamic analysis and etc… We do not want to give people a toolkit and say, “here you go, figure it out yourself” like many other projects have done.

HTCIA: What need does your research and site fill that others were missing?

SD: Not to be cocky or anything, but the entirely “FREE” price point for a toolkit, documentation and a collaborative work environment is argument enough that our site is better than the rest. I see other companies/sites charging a lot of money for training, certifications, information and etc.

I, at one point, wanted to take some certifications in forensics and information security, but the training and certifications were just way too much money for a college undergrad to afford. So I looked at this project from a college kid’s perspective… If it’s free, it’s for me… That’s why we decided to name the project OSAF. We wanted every aspect of it to be entirely open source.

HTCIA: How many people are working on the project?

SD: There are 4 of us IT seniors, including myself, working on the project right now. I couldn’t have picked a better team for this project. They are very smart and dedicated individuals wanting to make this project the best it can be. I think the reason why we are so dedicated as a team is because the project itself is very fun and unique. I feel like we are pioneers in this sort of work because I can’t find any site online that is dedicate to creating an entire environment dedicated to android malware analysis.

HTCIA: What are your goals for the site over the long term?

SD: I want the OSAF project to be well recognized in the forensics and malware analysis community. I eventually want to get more people on board to help analyze applications, maintain the site and answer any questions people may have. One day, I hope companies will be knocking on our door asking if they can sponsor us, in order to help fund and build the project, while keeping it 100% free of charge.

HTCIA: How long have you been a student HTCIA member? How long have the other students been?

SD: I am actually the founder and President of the University of Cincinnati’s HTCIA student chapter. I started the student chapter back in May 2011. I think we have a little over 20 student members (a mix of IT, IS and Criminal Justice students) in our chapter so far, but I have been getting a lot of email lately about new students interested in joining the chapter.

My team members for this project are not student members of HTCIA sadly. I would like for them to be members, but we only have 3 more months of school before we graduate. I will definitely get them to become full HTCIA members upon graduation.

HTCIA: Anything else you want to mention about the project?

SD: I just want people to know about us and the goals of our project. We can agree that the web is entirely too large right? I feel like it is hard for start-up sites, like us, to make it big these days unless they provide content that interests a vast majority of people, or if the site provides a service that interests organizations.

We want OSAF to be a site that provides both content and services of interest. Organizations, and the general public, have to realize that mobile malware is not going to magically disappear any time soon. Criminals will eventually get more crafty in the way they embed malicious code into applications; who knows, maybe to the point where the malicious codes circumvents the Android permissions mechanism.

That’s where OSAF has an advantage over anyone else. Anyone can ask OSAF to analyze an application, a community member will perform analysis, give the analysis report/results to the OSAF admins for review, then the OSAF admins will publish the finding on the threat index. Ripping apart applications is the only real way to find Android malware, because we all know how well Android “Anti-Virus” works.

Find and bookmark, and keep an eye out for the site’s development, currently slated for completion in May! Shadi says that the toolkit is currently available online for download, and the malware analysis documentation will be complete in May as well.

Image: victoriawhite2010 via Flickr